After reboot, the system should have taken a while to label the filesystems on boot and then rebooted a second time when that was complete. However, neither labeling nor rebooting occurred.

The command:

check-selinux-installation

returns:

/usr/sbin/check-selinux-installation:19: DeprecationWarning: os.popen3 is deprecated. Use the subprocess module.
@staticmethod
/usr/sbin/check-selinux-installation:23: DeprecationWarning: os.popen2 is deprecated. Use the subprocess module.
def fix():
getfilecon: getfilecon(/proc/1) failed
SELinux is not enabled.
Could not read the domain of PID 1.
/etc/pam.d/login is not SELinux enabled
FSCKFIX is not enabled - not serious, but could prevent system from booting...

This is strange because the kernel is SELinux-enabled, and the grub.cfg does contain the selinux=1 option.

I've just uploaded selinux-basics 0.5.1 to Debian experimental. Could you please try with that version. But anyway, you could use sestatus to check the status of selinux on your system.
–
BigonDec 15 '12 at 13:32

1 Answer
1

If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit.
After editing the file re-enter the command
grep FSC /etc/default/rcS should return FSCKFIX=yes

if the command check-selinux-installation returns just

/etc/pam.d/login is not SELinux enabled

then it's fine and the above return is a false positive.
For editing grub.cfg and checking the audit; follow the steps given by Debian Wiki for SELinux Setup. Use linux with enhanced security ~ SELinux.